我目前面临从外部路由流量到docker容器的问题。
这是我的设置:
- Rocky Linux 9.4 主机
- Docker 网络(网桥),IP 范围为 172.20.0.0/16
- 3 个 docker 容器(运行 Rapid7 扫描引擎,但这并不重要),每个容器在端口 40814 上都有一个可用服务,但这些服务不会导出,而且每个服务器在该 docker 网络上都有一个静态 IP(172.20.0.2-4)
- 主机上的firewalld配置:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 10050/tcp 40814/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
port=40814:proto=tcp:toport=40814:toaddr=172.20.0.2
source-ports:
icmp-blocks:
rich rules:
我想要实现的是,基于给定的源 IP(我网络上的其他服务器),我想将流量路由到 3 个 docker 容器中的一个。另一个服务器只知道我的 rocky linux 服务器的 IP 和端口 40814,然后 rocky linux 服务器决定将流量路由到哪个 docker。这不是负载平衡的尝试。
我能够通过telnet 172.20.0.2 40814(从主机/rocky linux 服务器)检查 docker 容器是否正常工作,然后在 docker 容器日志中显示连接尝试,但是当我尝试telnet 10.0.20.123 40814从网络上的其他服务器执行(rocky linux 服务器的 ip)时,我只得到Trying 10.0.20.123...。尝试该 IP 上的任何其他端口都会立即以 结尾Connection refused。日志也没有报告连接尝试。
我尝试过不同的防火墙设置,例如:
One:
firewall-cmd --add-rich-rule='rule
family="ipv4" \
source address="10.0.20.120/32" \
port protocol="tcp" port="40814" accept'
firewall-cmd --add-forward-port=port=40814:proto=tcp:toport=40814:toaddr=172.20.0.2
firewall-cmd --zone=public --add-forward-port=port=41814:proto=tcp:toaddr=172.20.0.2:toport=40814 --permanent
Two:
firewall-cmd --add-rich-rule='rule
family="ipv4" \
source address="10.0.20.120/32" \
forward-port protocol="tcp" port="41814" toport=40814 toaddr=172.20.0.2'
SELinux 正在强制执行,但我不确定这是否有区别。
你能帮忙吗?非常感谢!
编辑:添加更多信息
网络相关的docker信息:
"NetworkSettings": {
"Bridge": "",
"SandboxID": "06e60f163d002b1ef377542172f4007dcfa33749bf104315047921ac8af0d8c0",
"SandboxKey": "/var/run/docker/netns/06e60f163d00",
"Ports": {},
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"se-net": {
"IPAMConfig": {
"IPv4Address": "172.20.0.2"
},
"Links": null,
"Aliases": [
"nse-1",
"nse-1"
],
"MacAddress": "02:42:ac:14:00:02",
"DriverOpts": null,
"NetworkID": "ae57f90864d9171ee342803f1ce2d336db530482f000e8a7c2c4ef44fb9f09b9",
"EndpointID": "9f12ea7fca0ce272d3cfcd4797a4d68d88c9542d2b2ce7616581a0f2aff32f90",
"Gateway": "172.20.0.1",
"IPAddress": "172.20.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"DNSNames": [
"nse-1",
"7ee892f16d9f"
]
}
}
}
iptables-保存
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jul 26 10:56:54 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [822:49320]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-ae57f90864d9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ae57f90864d9 -j DOCKER
-A FORWARD -i br-ae57f90864d9 ! -o br-ae57f90864d9 -j ACCEPT
-A FORWARD -i br-ae57f90864d9 -o br-ae57f90864d9 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-ae57f90864d9 ! -o br-ae57f90864d9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-ae57f90864d9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Jul 26 10:56:54 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jul 26 10:56:54 2024
*nat
:PREROUTING ACCEPT [434998:26094074]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [62817:4380590]
:POSTROUTING ACCEPT [62817:4380590]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.20.0.0/16 ! -o br-ae57f90864d9 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i br-ae57f90864d9 -j RETURN
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Jul 26 10:56:54 2024
nft 列表规则集
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "br-ae57f90864d9" counter packets 0 bytes 0 return
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 172.20.0.0/16 oifname != "br-ae57f90864d9" counter packets 15 bytes 900 masquerade
ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 433464 bytes 26008040 jump DOCKER
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 15 bytes 900 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 20043 bytes 21105956 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-ae57f90864d9" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 6609 bytes 387973 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 821 bytes 49260 jump DOCKER-USER
counter packets 821 bytes 49260 jump DOCKER-ISOLATION-STAGE-1
oifname "br-ae57f90864d9" ct state related,established counter packets 0 bytes 0 accept
oifname "br-ae57f90864d9" counter packets 0 bytes 0 jump DOCKER
iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 15 bytes 900 accept
iifname "br-ae57f90864d9" oifname "br-ae57f90864d9" counter packets 0 bytes 0 accept
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 870 bytes 52200 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 20043 bytes 21105956 return
}
}
table ip6 nat {
chain DOCKER {
}
}
table ip6 filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-ae57f90864d9" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "br-ae57f90864d9" goto mangle_PRE_docker
iifname "docker0" goto mangle_PRE_docker
iifname "ens192" goto mangle_PRE_public
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "br-ae57f90864d9" goto nat_PRE_docker
iifname "docker0" goto nat_PRE_docker
iifname "ens192" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
oifname { "docker0", "br-ae57f90864d9" } jump nat_POST_policy_docker-forwarding
}
chain nat_POSTROUTING_ZONES {
oifname "br-ae57f90864d9" goto nat_POST_docker
oifname "docker0" goto nat_POST_docker
oifname "ens192" goto nat_POST_public
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_OUTPUT {
type nat hook output priority dstnat + 10; policy accept;
jump nat_OUTPUT_POLICIES_pre
jump nat_OUTPUT_POLICIES_post
}
chain nat_OUTPUT_POLICIES_pre {
}
chain nat_OUTPUT_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_ZONES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "br-ae57f90864d9" goto filter_IN_docker
iifname "docker0" goto filter_IN_docker
iifname "ens192" goto filter_IN_public
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
oifname { "docker0", "br-ae57f90864d9" } jump filter_FWD_policy_docker-forwarding
}
chain filter_FORWARD_ZONES {
iifname "br-ae57f90864d9" goto filter_FWD_docker
iifname "docker0" goto filter_FWD_docker
iifname "ens192" goto filter_FWD_public
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 accept
ip6 daddr fe80::/64 udp dport 546 accept
tcp dport 9090 accept
tcp dport 10050 accept
tcp dport 40814 accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
oifname "ens192" accept
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.17.0.2:40814
ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.20.0.2:40814
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_docker {
jump filter_INPUT_POLICIES_pre
jump filter_IN_docker_pre
jump filter_IN_docker_log
jump filter_IN_docker_deny
jump filter_IN_docker_allow
jump filter_IN_docker_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_docker_pre {
}
chain filter_IN_docker_log {
}
chain filter_IN_docker_deny {
}
chain filter_IN_docker_allow {
}
chain filter_IN_docker_post {
}
chain nat_POST_docker {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_docker_pre
jump nat_POST_docker_log
jump nat_POST_docker_deny
jump nat_POST_docker_allow
jump nat_POST_docker_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_docker_pre {
}
chain nat_POST_docker_log {
}
chain nat_POST_docker_deny {
}
chain nat_POST_docker_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_docker_post {
}
chain filter_FWD_docker {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_docker_pre
jump filter_FWD_docker_log
jump filter_FWD_docker_deny
jump filter_FWD_docker_allow
jump filter_FWD_docker_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_docker_pre {
}
chain filter_FWD_docker_log {
}
chain filter_FWD_docker_deny {
}
chain filter_FWD_docker_allow {
oifname "docker0" accept
oifname "br-ae57f90864d9" accept
}
chain filter_FWD_docker_post {
}
chain nat_PRE_docker {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_docker_pre
jump nat_PRE_docker_log
jump nat_PRE_docker_deny
jump nat_PRE_docker_allow
jump nat_PRE_docker_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_docker_pre {
}
chain nat_PRE_docker_log {
}
chain nat_PRE_docker_deny {
}
chain nat_PRE_docker_allow {
ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.20.0.2:40814
}
chain nat_PRE_docker_post {
}
chain mangle_PRE_docker {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_docker_pre
jump mangle_PRE_docker_log
jump mangle_PRE_docker_deny
jump mangle_PRE_docker_allow
jump mangle_PRE_docker_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_docker_pre {
}
chain mangle_PRE_docker_log {
}
chain mangle_PRE_docker_deny {
}
chain mangle_PRE_docker_allow {
}
chain mangle_PRE_docker_post {
}
chain filter_FWD_policy_docker-forwarding {
jump filter_FWD_policy_docker-forwarding_pre
jump filter_FWD_policy_docker-forwarding_log
jump filter_FWD_policy_docker-forwarding_deny
jump filter_FWD_policy_docker-forwarding_allow
jump filter_FWD_policy_docker-forwarding_post
accept
}
chain filter_FWD_policy_docker-forwarding_pre {
}
chain filter_FWD_policy_docker-forwarding_log {
}
chain filter_FWD_policy_docker-forwarding_deny {
}
chain filter_FWD_policy_docker-forwarding_allow {
}
chain filter_FWD_policy_docker-forwarding_post {
}
chain nat_POST_policy_docker-forwarding {
jump nat_POST_policy_docker-forwarding_pre
jump nat_POST_policy_docker-forwarding_log
jump nat_POST_policy_docker-forwarding_deny
jump nat_POST_policy_docker-forwarding_allow
jump nat_POST_policy_docker-forwarding_post
}
chain nat_POST_policy_docker-forwarding_pre {
}
chain nat_POST_policy_docker-forwarding_log {
}
chain nat_POST_policy_docker-forwarding_deny {
}
chain nat_POST_policy_docker-forwarding_allow {
}
chain nat_POST_policy_docker-forwarding_post {
}
}
防火墙命令--列出所有区域
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-ae57f90864d9 docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.20.120/32" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.20.0.2"
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 10050/tcp 40814/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.20.120" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.20.0.2"
rule family="ipv4" source address="10.0.20.120" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.17.0.2"
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
